a Review on Tracker and Script Blocker Extensions for Firefox

Saturday, May 16, 2015

firefox-extensiontrackersscript-blockers

I saw multiple posts recently where people wanted to know which addons are redundant, so I decided to do some tests and research. Let me know if you want to add or correct something. The following addons will be covered:

uBlock Origin: uBlock Origin is free, open source, and it has good memory performance. However, be aware that it blocks Google Analytics, which breaks many websites. But the add-on has various toggles that allow you to turn blocking off (on a per site basis).

uMatrix: If you are a more advanced user, you want to consider uMatrix. uMatrix is a firewall which works in relaxed “block-all/allow-exceptionally” mode out of the box. This causes many sites to break, if not configured by the user.

AdBlock Edge: Before the release of uBlock, I recommended using AdBlock Edge — but this add-on has been discontinued by the developer because “uBlock is faster and available for more platforms”.

AdBlockPlus: This is another version of Adblock that includes the “Acceptable Ads Whitelist”.

Disconnect: Disconnect is part of the Abine Blur suite of apps. Personally, I use the Blur apps for masking my identity online. But the Disconnect add-on doesn’t block quite as many items as uBlock Origin — so I am using uBlock Origin together with Disconnect.

Privacy Badger: Privacy Badger doesn’t come with a singular list of sites to block, but instead blocks domains that are seen across many domains.

Ghostery: Ghostery is a proprietary add-on has been largely replaced by uBlock Origin. It also send data back to the developer, which is worrying from a privacy standpoint.

NoScript: NoScript allows active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.

uMatrix vs NoScript

If you set uMatrix to deny-all, allow manually mode and block the 1-st party section globally, it should block content like NoScript does. However, it appears that whitelisting a domain in uMatrix will make you vulnerable to XSS attacks on that domain. NoScript will protect you against XSS even if the domain is whitelisted. If you are not worried about XSS then it’s OK to use uMatrix with deny by default mode.

Reasons to use uMatrix:

more customizable

more friendly towards stuff like CSS and images, therefor is less likely to “break” the site layout.

uBlock Origin with Dymanic Filtering vs uMatrix

Do not use uMatrix and uBlock Origin with Dynamic Filtering together (not to be confused with regular uBlock Origin). They will conflict each other according to the addon author. Disable uBlock’s Dynamic Filtering (it should be off by default) if you use uMatrix. uBlock should be used as an ad blocker.

uBlock should get out of uMatrix’s way, This means, if you use both addons then go to uBlock’s 3rd party filters area in Dashboard and un-check the HOSTS files that are checked under Multipurpose section. The ones you should un-check are the ones that are already CHECKED in uMatrix (at chrome://umatrix/content/dashboard.html#hosts-files). For example, “hpHosts’s Ad and tracking servers‎”. There is no need to have it checked in both addons. It’s important to enabled it in uMatrix and disable it in uBlock, and NOT the other way around! uMatrix should have the priority!

My recommendation: uMatrix for the purpose of blocking scripts. uBlock Origin as an ad blocker.

Ghostery vs Disconnect

It is true that Ghostery blocks more trackers, but based on my tests on ABC, CNN, independent.co.uk, download.com and few other news sites there were many trackers that Ghostery missed which were blocked by Disconnect, and vice verse. Keep in mind that I tested the addons separately one by one, within a 2 minute time frame, in order to get accurate results.

Things that Disconnect blocked and Ghostery missed: AdRoll, Amazon, BlueKal Bizo, Casale Media, ComScore , Cross Pixel, Mediametre, Nielsen (Ghostery never blocks this even though it’s one of the most popular trackers), OpenX, PubMatic, New Relic.

replaces certain blocked elements with an overlay so you can allow in case it breaks the layout, like Disqus comment section.

Reasons to use Disconnect:

blocks some trackes missed by Ghostery.

open source?

My recommendation: use both if you want to block more trackers. If you have to use one - go for Ghostery.None of the addons makes the other one redundunt!

What about Privacy Badger? How does it perform against Ghostery and Disconnect ?

Privay badger does not use signatures. It uses a behavioural blocking. It might allow certain tracking elements to enter your browser and “stay there”, but once those things start following you around, they should be blocked. I have no way to test it due the the way it operates. It’s made by EFF which is a pro-privacy organization so it’s trustworthy. The behavioural blocking is good because you don’t rely on lists that need to be updated, so you might end up blocking a tracker that signature based addons missed, although I don’t think this can be effective against all trackers. I do recommend Privacy Badger, but I don’t think it makes other addons redundant.

uBlock vs AdBlockPlus

Both are ad blockers. Only one should be used. You can add additional block-lists to both addons.

Reasons to use uBlock:

actively maintained by a small group of developers who won the Oscar award for the best drama of 2015

uses less resources.

more customizable. You can easily block select elements, like the annoying Google warning that begs you to use Chrome browser.

Reasons to use AdBlockPlus:

actively maintained by a large organization that has more resouces and has won multiple lawsuits in Europe

they create some (or all?) the ad blocking lists used to other ad blockers

they advocate a web with non-intrusive ads

My recommendation : uBlock with “Merged Ultimate list” and other lists that people recommend.

Please support publishers. If the ads are not annoying, consider disabling the ad blocker for that particular website. Before you go on and say that ABP takes money from ad networks to allow some text ads…I know that…and you should consider to knock that shit off already. Go to ABP setting and disable the non-intrusive ads if you don’t want them.

Does uMatrix make Ghostery(or Disconnect) redundant ?

No! Let me give you an example why. I did a test on CNN. They had an Adobe Analytics script running from within the CNN domain, which is whitelisted because it’s 1-st party. If I block that, the site won’t work properly and things like videos and images won’t load properly, so I have to allow it. The path is something like this http://metrics.cnn.com/b/ss/cnn-adbp-domestic/1/H.26.1/whatever….. uMatrix didn’t block the Adobe tracker from here, but Ghostery did. I’m guessing Ghostery knows there is a tracker there because it uses block list manually added by Ghostery. uMatrix doesn’t block it because I told it not to, so I could read the website. You get the point…